NIST publishes new Secure Domain Name System (DNS) Deployment Guide
Advice on organising and securing your DNS infrastructure
Advice on organising and securing your DNS infrastructure
US standardisation and technology institute NIST has made the first public draft of its Secure Domain Name System (DNS) Deployment Guide available online. The guide provides comprehensive advice on organising and securing your DNS service. DNSSEC obviously features, but the document also covers numerous other DNS-related topics.
NIST is accepting public feedback on the draft document until 25 May.
The Secure Domain Name System (DNS) Deployment Guide goes through a long series of recommendations on organising and securing your DNS infrastructure. Naturally, authoritative DNS services and recursive resolvers are considered, and the relationship between DNS security and more general information security is addressed as well.
A number of important topics and focus points highlighted in the guide are summarised below, along with some of the key takeaways.
The DNS is a critical infrastructure component and should therefore be covered by an organisation-wide information security strategy
Because of its scalability and efficiency, an organisation’s DNS set-up is a good place to implement security measures, as with all the security protocols developed on the basis of DNSSEC (e.g. SPF/DKIM/DMARC, DANE and ZONEMD), as well as DNSBL (for blocking spam)
Use of a DNS resolver to block access to malware domains ("Protective DNS")
Securing the authenticity of DNS data by using DNSSEC
Screening the transport of DNS information by using DoT/DoH/DoQ
Managing domain names and DNS systems
Protecting against DoS attacks
Administering and signing zones on a separate hidden primary name server
Securing zone transfers, e.g. by means of TSIG and access control lists (ACLs)
Screening Dynamic DNS (DDNS) updates, e.g. by using TSIG
looking out for lookalikes and typosquatting
TTL settings
DNSSEC is an (important) element of DNS security
Validity periods of key pairs and signatures
Recursive resolvers, forwarders and stub resolvers
Encrypted DNS services based on the use of DoT/DoH/DoQ
Blocking of DNS queries other than by the organisation’s own resolvers
Management and updating of DNSSEC trust anchors
Those topics and many others are covered in NIST's new Deployment Guide. We advise DNS operators to read the guide to see what else they could do to improve their infrastructures.